Keyboard Kittens and Directory Traversal Dogs

In a previous article we explained what path/directory traversal is. And we looked at what happens behind the scenes on the server side. In this article we will take a look at the source of the problem.

Clearly not a masterpiece of code that I’ve written here. But it does the job of demonstrating the vulnerability.

Here is a screenshot of the code. As you can see, it is straight forward. But let’s walk though it anyway.

No alt text provided for this image

On line 13 we are declaring a variable called file. The variable holds whatever is collected by the HTTP GET request. Which ,in turn, accepts the user input in a URL parameter called image.

In other words: User Input in image > HTTP GET > file variable

An example of this would be a user clicking on an image. The browser sends a GET request to grab the image from the web server. Then display the image in the browser.

The URL that does the magic, will look something like this

https://localhost/vulnphp/lfi.php?image=kittens.jpg

Keyboard Kittens

On line 15 we start a simple if/else statement.

If the value held by the file variable (in our case kittens.jpg) exists, then the server accepts it and can fetch it from its directories and displays it to the user. Otherwise, if a cat walks on the keyboard and ends up typing something random like asdfou.jpg, then a 404 error page is returned instead.

No alt text provided for this image
Image source: https://brokelyn.com/learn-to-code-kittens-nyu/

Directory Traversal Dogs

Assuming the user is a dog person, with no cats walking on their keyboard, they click on an existing image, and the following URL is created:

https://localhost/vulnphp/lfi.php?image=cutepuppies.jpg
No alt text provided for this image
Image source: https://yannmjl.medium.com/coding-interview-problem-solving-techniques-ae6a82d98dbb

 And therein lies the vulnerability. Because our code doesn’t do any checks on what is being “included” we have to wonder what happens if the user tries to include a file outside the web directory.

The result will be path/directory traversal and they’ll be able to display the contents of arbitrary files like the example below.

https://localhost/vulnphp/lfi.php?image=../../../../.././../etc/passwd

Final Question

This of course leaves us with a final question. Are you a cat or a dog person?

I hope this clarifies file/directory traversal more.

For any feedback, suggestions or corrections, don’t hesitate to get in touch.